Linux Foundation's Secure Boot Pre-Bootloader Released

hypnosec writes "The Linux Foundation's UEFI Secure Boot pre-bootloader for independent Linux distros and software developers has finally been released. Announcing the release of the secure boot system James Bottomley noted that the signed pre-bootloader was delivered by Microsoft on February 6th. Bottomley has released two validated files: PreLoader.efi and HashTool.efi. Bottomley has also created a bootable mini-USB image that provides 'an EFI shell where the kernel should be and uses Gummiboot to boot.' Just last week the pre-bootloader had to be rewritten to accommodate booting of all versions of Linux."

Don't worry, somebody will break it.

It'll take a week or two, and then they'll report that it blew up their computer, crashed the Internet, and impregnated their teenage daughter.

Re:Don't worry, somebody will break it.

It'll take a week or two, and then they'll report that it blew up their computer, crashed the Internet, and impregnated their teenage daughter.

Uh, no sorry that was me :-)

Re:Don't worry, somebody will break it.

[jsrlepage]

...all at the same time.

Re:Don't worry, somebody will break it.

[Luckyo]

That's how you learn not to have sex on top of your PC tower, with router next to it, and with no additional furniture for support in the end game.

What about *BSD?

[ad454]

This is great news for Linux distributions, and a small victory in the losing battle for openness.

But in the spirit of openness, hopefully bootloaders for NetBSD, OpenBSD, and FreeBSD will also be eventually signed.

Everyone should be able to install and run whatever they want on their own computers.

Re:What about *BSD?

So far they can. Just insert the OS's key in the motherboard's Secureboot keystore. This story simply means that Linux Foundation systems don't even need to do that anymore, as Microsoft's key (which will be present on basically all motherboards as stock) will accept them.

Re:What about *BSD?

Incidentally.. Microsoft will have two keys. One for Windows, and another for "third party" stuff.

So they can revoke everyone's software and leave theirs working.

BTW: Anyone interested in the abuses that UEFI allows should read both the UEFI guidelines and the Microsoft Mandate (the rules they apply to OEMs for Win8 certs, and anyone wanting to have their software signed).

Microsoft's rules violate several of the guidelines - unsurprisingly those to do with who actually controls the PC.

Re:What about *BSD?

GPL "gives" freedom by taking freedom away from developers, who ironically give freedom to the user, which means the end user is indirectly getting their freedoms taken away.

Re:What about *BSD?

[unixisc]

He's talking about the OS, not licenses.

Re:What about *BSD?

[cupantae]

the losing battle for openness

What losing battle? Open source software hasn't been as prevalent as it is now since proprietary software first arose. Linux, in particular, is in the strongest position it's ever been in, and it looks like 2013 will be a very big year for Linux. Sure, there are always setbacks like this, but look: it's been just over 3 months since Windows 8 began to be sold, and the problem is already almost completely solved.

But in the spirit of openness, hopefully bootloaders for NetBSD, OpenBSD, and FreeBSD will also be eventually signed.

So you have time to whinge, but none to RTFA:

A signed pre-bootloader will allow for chain-loading of boot-loader of any other operating system thereby enabling users to install non-signed Linux distros on Windows 8 UEFI hardware.

Everyone should be able to install and run whatever they want on their own computers.

Yes, but not everyone should be able to install or run whatever they want on your computer. In fairness, UEFI goes some way towards securing your PC. Microsoft did well for the consumer in that respect. They're also a fairly ruthless company, and they're not going to go out of their way to make sure you can install rival operating systems from day 1. But today, at about day 100, the problem is a long way towards being solved. Get over it.

Re:What about *BSD?

[TCM]

No. In the spirit of openness, hopefully this bullshit will get eaten by the anti-monopoly regulation.

Giving in to this bullshit was the most stupid thing the Linux guys could do.

Re:What about *BSD?

"Yes, but not everyone should be able to install or run whatever they want on your computer."

Then Microsoft should fix their goddamn insecure OS, not implement stupid bootloader quasi-security that does nothing but inconvenience everyone that doesn't run a Microsoft OS.

Re:What about *BSD?

In the USA, we have laws which restrict the ability for monopolistic companies to abuse their monopoly. This fix is inadequate and an adequate fix should have been available before windows 8 was even released, or Microsoft should pay severely for these abuses of monopoly power. A fine in the billions, restrictions against their ability to make deals with OEM's, both PC makers and Tablet/Phone makers, and breaking the companies OS business away from all of it's other software offerings would be a first small step.

Re:What about *BSD?

[osu-neko]

Well, yes. UEFI can only make guidelines. Microsoft can impose rules...

Re:What about *BSD?

[osu-neko]

No. In the spirit of openness, hopefully this bullshit will get eaten by the anti-monopoly regulation.

Yes, sooner or later, Microsoft's behavior will become to egregious again that they will once again be forced to pay a small fine and give people coupons before being allowed to continue what they were doing...

Re:What about *BSD?

And yet strangely... whenever this is discussed.. the shills for UEFI quote the guidelines, not the Microsoft imposed reality.

Re:What about *BSD?

2013 will be a very big year for Linux.

Yes, I hear it will definitely be the year of Linux on the desktop.

Re:What about *BSD?

[dissy]

But today, at about day 100, the problem is a long way towards being solved. Get over it.

I interpreted it a little differently. Today at about day 100, Microsoft has won it's war against Linux.

Microsoft started by saying you don't want to use Linux because it's inferior, but they were easily shown to be wrong.

Then Microsoft turned to saying it was illegal to use Linux because it's a mess of copyrights and patents, as well as infected with a viral license that destroys businesses. It took a lawsuit a decade long with one of this countries top companies (at the time) to finally prove otherwise.

Now, today, Microsoft has finished by saying Linux can and will only exist at Microsoft's whim. They hold the keys to the kingdom, and can lock and unlock any OS as they see fit.
Please note I am not speaking of a technical measure, but a legal one.

Instead of having the UEFI key signing authority forced from Microsoft's hands and taken away by power of law, now we are humbly begging for permission to be allowed to use non-windows on our own computers, while also praying the check clears to buy that capability which should be a natural right.

Now I'm not trying to claim that would have been an easy battle, and I myself certainly have not put my own money life and future on the line to fight for it either.
But I still believe that battle not being won is what will make all those "Yeay tablets and phones, we are in the post PC era now!" predictions come true.

The FCC already went back on their fair use ruling about jailbreaking and being allowed to run the software you choose to run. If you didn't notice, only jailbreaking the iPhone is still an exception to the law. Do the same thing on another device that's just a bit bigger (an iPad) or made by any other manufacturer, and you are committing a federal crime.

If Microsoft officially claims they have revoked the certificate and thus permission for the Linux preboot loader, then instantly every desktop and server in this country running Linux is in violation of the law. Booting it is a felony.

While no I do not trust Microsoft, I have to say I can't see myself trusting ANYONE with this power.
Signed booting absolutely MUST be controlled at the highest level by the owner of the computer. No one else!

This means there should be ZERO keys or certs installed by default, and it should be a very serious crime to try and sneak one in, similar to any other mass scale computer intrusion laws.

One should be required to learn how it works, why it works, what the advantages of signing your own boot loader would be, and then using that knowledge to enable it and upload your keys.
If someone can't do that, then clearly they don't need this feature.

Re:What about *BSD?

[cupantae]

Now, today, Microsoft has finished by saying Linux can and will only exist at Microsoft's whim. They hold the keys to the kingdom, and can lock and unlock any OS as they see fit. [...] now we are humbly begging for permission to be allowed to use non-windows on our own computers, while also praying the check clears to buy that capability which should be a natural right. [...] If Microsoft officially claims they have revoked the certificate and thus permission for the Linux preboot loader, then instantly every desktop and server in this country running Linux is in violation of the law. Booting it is a felony.

I emphasized the bits in your post that were sensational nonsense.
Microsoft could never revoke the keys for Linux, because it is actually too popular for them to get away with it.

Signed booting absolutely MUST be controlled at the highest level by the owner of the computer. No one else!

Agreed.

This means there should be ZERO keys or certs installed by default, and it should be a very serious crime to try and sneak one in, similar to any other mass scale computer intrusion laws.
One should be required to learn how it works, why it works, what the advantages of signing your own boot loader would be, and then using that knowledge to enable it and upload your keys.
If someone can't do that, then clearly they don't need this feature.

Now I think you're being ridiculous. You can't expect regular end-users to understand the workings of something just to get to use it. It's not the way most people want technology to work, and it doesn't have to be.

Re:What about *BSD?

[AmiMoJo]

One issue that never seems to be mentioned but could be potentially huge is that the signed bootloader requires user interaction to boot. It was designed that way to prevent malware using the bootloader to silently root the OS, the very thing SecureBoot was designed to prevent.

It won't boot until you press a key to continue. Many Linux machines don't have any facility for that, either because they are a tablet with no physical keyboard or because they are a headless server with no-one around to operate them locally.

Re:What about *BSD?

[AmiMoJo]

Can MS really revoke the third party key though? Can they remove it from the UEFI BIOS via a software update? One of the key features of Secure Boot is that random viruses can't install their own keys, or more generally that any code, signed or otherwise, can't install keys. Only the user or manufacturer assembling the BIOS image can do that.

They could block third party keys on new hardware, but not revoke them on old hardware.

Re:What about *BSD?

[kestasjk]

We're talking about Microsoft here! They'll do anything they can to prevent Linux running on their hardware and block out all competition.

Re:What about *BSD?

>"is in the strongest position it's ever been in, and it looks like 2013 will be a very big year for Linux."

I just spit out my drink as I expected you to finish with 2013 being the Year of the Desktop. Get real, fewer consumers are exposed to Linux now that Android and Chrome, both built with Linux kernel on the backend (but really, who cares?) but have proprietary systems and languages on top.

To be honest, it looks like 2013 is the year of Android, not Linux. And Android is fragmented and fought over just like Linux was.

Re:What about *BSD?

a small victory in the losing battle for openness.

At best this is a tactical victory. On the strategic side of things it's a Microsoft win.

Re:What about *BSD?

[jhol13]

"UEFI goes some way towards securing your PC."

How? What the UEFI does to "secure my PC"? I claim the positive effect is infinitesimal and hugely shadowed by negative effects.

What UEFI secures is the pre-booloader. Nothing more, it has nothing to do with bootloader, kernel, drivers, system programs or set-up data, user programs or user data. The likely palce for trojan is perhaps the system programs and their settings - as long as a trojan can change your sshd_config you really do not care whether pre-bootloader is OK or not.
The number of security exploits released weekly is astounding, there is no lack of them so there will be trojans and viruses, etc. and the UEFI does nothing to prevent those.
How does the UEFI "secure"? By causing total DoS - you cannot even boot your machine. I'd much rather boot with knowledge my machine is compromised than not boot at all. Most damning, the pre-bootloader sector could be secured by disk-controller "TPM" much better than with UEFI, e.g. with unclearable flag to prevent writing to sector 0.

So how does the UEAFI "go towards securing your PC"? It does not.

Re:What about *BSD?

[tlhIngan]

This is great news for Linux distributions, and a small victory in the losing battle for openness.

But in the spirit of openness, hopefully bootloaders for NetBSD, OpenBSD, and FreeBSD will also be eventually signed.

Everyone should be able to install and run whatever they want on their own computers.

You still can.

You see, in order to get that "Windows" logo, a PC (x86/x64) MUST have an option to disable secure boot. In which case, the UEFI will perform a "legacy boot" using the MBR/partition loaders as has been the PC architecture for 30 years now.

The only reason for signed loaders is so a user doesn't have to dive into the UEFI to switch the setting around.

And this option will be around for a while as Windows 7 can't do UEFI boot unless you're 64-bit, and a lot of companies are only beginning their Windows 7 migrations.

Re:What about *BSD?

[TangoMargarine]

It's all sensationalistic nonsense until it actually happens. Which seems to be just a matter of time and judicial incompetence. If you want to be optimistic about it, that's your own business, but I am NOT.

Yes, it makes it more difficult for the end user. But I'm sure somebody has made a quote about convenience and liberty at some point (Ben Franklin?). That's a wholly different argument.

Re:What about *BSD?

I interpreted it a little differently. Today at about day 100, Microsoft has won it's war against Linux.

Verisign hold the keys, Intel control the UEFI. And you are a dickhead. I've read your previous posts. You are consistently a dickhead.

Re:What about *BSD?

THe problem is a computer can have multiple owners so "but not everyone should be able to install or run whatever they want on your computer." problem is this restricts the use of the computer for anyone else later. UEFI really wont help a damn when it comes to trojans.

The problem is far from solved, the walled gardens are springing up everywhere.

Re:What about *BSD?

[dissy]

Now, today, Microsoft has finished by saying Linux can and will only exist at Microsoft's whim. They hold the keys to the kingdom, and can lock and unlock any OS as they see fit. [...] now we are humbly begging for permission to be allowed to use non-windows on our own computers, while also praying the check clears to buy that capability which should be a natural right. [...] If Microsoft officially claims they have revoked the certificate and thus permission for the Linux preboot loader, then instantly every desktop and server in this country running Linux is in violation of the law. Booting it is a felony.

I emphasized the bits in your post that were sensational nonsense.
Microsoft could never revoke the keys for Linux, because it is actually too popular for them to get away with it.

Apologies in advance if I miss-copied any emphasized parts above. The editor does not want to cooperate with that.
But it will be easier to address each, as I do not agree with your assessment. Sensational perhaps, but that doesn't mean I am incorrect or exaggerating the truth.

Microsoft has finished by saying Linux can and will only exist at Microsoft's whim

And the past 100-ish days prove that to be correct, as Linux was not yet bootable on these new systems without first blanking the certificates out of the BIOS.
Yes for now the "generic" PC hardware has this ability, but already more than just Microsoft's tablet/embedded hardware prevents this (aka all Arm systems win8-rt certified)
This was obviously their choice to make that distinction, which is what "whim" means.

while also praying the check clears to buy that capability

Are you claiming it does not cost money for the developer program to have your software signed?

And the biggie:
Me: If Microsoft officially claims they have revoked the certificate and thus permission for the Linux preboot loader, then instantly every desktop and server in this country running Linux is in violation of the law. Booting it is a felony.

You: Microsoft could never revoke the keys for Linux, because it is actually too popular for them to get away with it.

I do not see any exception or provision written into the DMCA or copyright law that states being some value of popular will have any effect upon having the copyright holders permission being no longer required.

I see you did not quote me saying this would not be a technical key revoke but a legal one.

The process goes like this.
1 - Microsoft makes an announcement - as in just using words - that the certificate issued to this preboot loader is now revoked.
2 - Technically, not much changes. Only systems that check CRL's would actually up and stop working, and I am unsure how many (if any) currently do that at all. Even the ARM WinRT restricted devices.
3 - Legally however, using any software signed under that certificate/name is a copyright violation. It is being done without permission.

So, despite having had permission previously, said permission is now publicly revoked.
There is no license to run that software, and bypassing any such protections is a DMCA violation, another federal law.
Utilizing a perfectly valid in every technical way certificate to sign anything is also a DMCA violation regarding tools used to bypass copyright protections. Again, legal protections, the courts have repeatedly ruled the technicalities do not matter.

Just because there would be massive negative repercussions towards Microsoft for actually doing this, there is nothing actually or legally stopping them from doing so. So far we only have a claim they will not do so. As I mentioned, I wouldn't trust Microsoft as far as Balmer could throw one of their chairs.

But the facts remain:
- Stated permission is the only metric that matters when it comes to copyright.
- Bypassing the

Re:What about *BSD?

[shutdown+-p+now]

Microsoft's power on the matter is strictly economical. It cannot mandate that all PCs, or even all PCs sold with Win8, have UEFI Secure Boot. The requirement comes from Win8 hardware certification program, so it's only necessary if the OEMs want that "Designed for Windows 8" sticker on their hardware.

Now, Windows having the lion's share of desktop OS market, most OEMs do want the sticker, and so they have to follow the certification guidelines. However, this does not mean that Microsoft is free to put whatever it wants in those guidelines - it's always constrained by being in a dominant market position, and therefore having government anti-trust commissions in various countries watch its every step - not to mention the competitors who'd sue for the same at the first hint of a slip.

So the status quo will remain for years to come, for as long as Windows remains the dominant desktop OS. But if it ever happens that it doesn't, then the point will be moot, since MS economic power will be correspondingly diminished - and you'll have plenty of PCs to buy not burdened with any restrictions.

Re:What about *BSD?

[shutdown+-p+now]

Why would anti-monopoly guys get involved, seeing as Linux (and other competing OSes) are working on MS-certified hardware with the present arrangement? What's the anti-competition angle here?

Re:What about *BSD?

[shutdown+-p+now]

MS paid something on the order of $2 billion in various fines and non-compliance fees in EU last time an anti-trust issue came up (with IE). And EU anti-trust fines usually grow significantly for repeat offenses.

Re:What about *BSD?

Can MS really revoke the third party key though? Can they remove it from the UEFI BIOS via a software update?

They can probably do that - IF you run windows. (And if they try something like that, it'll be possible to disassemble that software and find out how it reprograms the bios, allowing skilled people to fix it.)

If you install linux (at a time when this key is valid) and use linux only, then no. They will not be able to revoke the key from your computer, when they cannot run their software on it.

Re:What about *BSD?

Secure boot is secure against the owner of the computer.

Re:What about *BSD?

The simple way to fix this is to have a hardware switch that when in normal position doesn't let "insecure" OSes get installed...then when switched to the other position allows you to do whatever the hell you want....being hardware it is impossible to circumvent unless you have physical access to the machine.

This way normal users who don't want to change anything on their computers will be able to be blissfully unaware and leave the switch alone....anybody who is interested in this kind of thing could just flick a switch

Re:What about *BSD?

[sd1248]

It won't boot until you press a key to continue. Many Linux machines don't have any facility for that, either because they are a tablet with no physical keyboard or because they are a headless server with no-one around to operate them locally.

I can see there will be a market for a USB device that emulates a keyboard and sends a keypress at a predetermined delay after power on. It shouldn't cost much to make and can be easily installed in servers that are required to reboot after a power outage.

Re:What about *BSD?

If Microsoft officially claims they have revoked the certificate and thus permission for the Linux preboot loader

How? I mean literally how do you think they can do that? What does "revoke the certificate" even mean? there is no certificate, it's a key, and there is no concept of 'revoking' a key. I dunno what sort of agenda you have here but you clearly don't have any idea what you're talking about.

then instantly every desktop and server in this country running Linux is in violation of the law.

In violation of what law? Certainly not the DMCA, unless you have some bizarre interpretation of that law, which it indeed appears you do. so please explain how running an OS under SecureBoot with a valid (the same key the OS is signed with) key - any key for that matter - could ever be in violation of the DMCA?

Booting it is a felony.

No.

Signed booting absolutely MUST be controlled at the highest level by the owner of the computer. No one else!

It already is, you can install and uninstall keys all you want, hell you can even turn it all off if you don't want it at all.

This means there should be ZERO keys or certs installed by default, and it should be a very serious crime to try and sneak one in, similar to any other mass scale computer intrusion laws.

So you should be sold a system with an OS and then they make you install the key for it? Since the system should be controlled by the user should all desktops, laptops, tablets and phones be sold without any software at all so that the user has to install it themselves? If you want to install an OS other than the one it came with then either install a key for it or turn off SecureBoot, the user has full control over this.

Re:What about *BSD?

[exomondo]

It won't boot until you press a key to continue. Many Linux machines don't have any facility for that, either because they are a tablet with no physical keyboard or because they are a headless server with no-one around to operate them locally.

Why would you want secureboot on such devices?

Re:What about *BSD?

[exomondo]

we are humbly begging for permission to be allowed to use non-windows on our own computers

You're doing it wrong, just turn secureboot off.

If Microsoft officially claims they have revoked the certificate and thus permission for the Linux preboot loader, then instantly every desktop and server in this country running Linux is in violation of the law. Booting it is a felony.

That's an interesting take, how would one revoke a UEFI key? And how would revocation - assuming such a thing exists and is possible - of a key result in permission to load the pre-bootloader being denied? Permission to load the bootloader is granted/denied by the UEFI firmware, which makes the decision based on whether the installed key matches that of the signed bootloader, so what you're saying makes absolutely no sense, it just demonstrates a fundamental misunderstanding of how secureboot works.

Re:What about *BSD?

[lsatenstein]

the losing battle for openness

What losing battle? Open source software hasn't been as prevalent as it is now since proprietary software first arose. Linux, in particular, is in the strongest position it's ever been in, and it looks like 2013 will be a very big year for Linux. Sure, there are always setbacks like this, but look: it's been just over 3 months since Windows 8 began to be sold, and the problem is already almost completely solved.

But in the spirit of openness, hopefully bootloaders for NetBSD, OpenBSD, and FreeBSD will also be eventually signed.

So you have time to whinge, but none to RTFA:

A signed pre-bootloader will allow for chain-loading of boot-loader of any other operating system thereby enabling users to install non-signed Linux distros on Windows 8 UEFI hardware.

Everyone should be able to install and run whatever they want on their own computers.

Yes, but not everyone should be able to install or run whatever they want on your computer. In fairness, UEFI goes some way towards securing your PC. Microsoft did well for the consumer in that respect. They're also a fairly ruthless company, and they're not going to go out of their way to make sure you can install rival operating systems from day 1. But today, at about day 100, the problem is a long way towards being solved. Get over it.

===
Perhaps Linux distributions are lucky because retail sales of W8 are far below expectations. I visited several big box stores, and the space previously allocated to computers is now shared with Tablets (Mainly Android) and Big screen TVs. If W8 end-user sales were significant, we could experience accidental tricks by MS to block all other OSs. And those accidents would happen as a means of protecting market share. Who is to say what MS would not do.

Re:What about *BSD?

So you have time to whinge, but none to RTFA:

Why do the majority (it seems) of Slashdotters use the british spelling of 'whine'? It doesn't even look right, and is far less prevalent than 'colour' or words that end in 're' (sabre, theatre).

Re:What about *BSD?

[exomondo]

Why do the majority (it seems) of Slashdotters use the british spelling of 'whine'?

You mean 'whinge'? A synonym of the word 'whine' which is both spelled and pronounced differently?

Re:What about *BSD?

[TCM]

I dunno, maybe that the Linux guys have to report to MS to have their stuff working? Duh?

Re:What about *BSD?

[shutdown+-p+now]

For one thing, they don't, since the switch to disable Secure Boot is always there on Intel machines, and can be turned off by any user. This whole thing was about making it so that the users don't even need to do that (but I'd bet that the switch alone is sufficient to alleviate any anti-trust concerns).

And beyond that, having to "report to MS" is not an issue since it results in a solution that works for everyone. If that were to change - if MS was ever to revoke the keys - then, yes, I'd imagine there would be a lawsuit and an investigation. But not before then.

Re:What about *BSD?

[dissy]

That's an interesting take, how would one revoke a UEFI key?

Dunno, doesn't seem possible to me with the current state of hardware. Why do you ask? Seems a bit off topic, since I was discussing permission and not certificates or keys.

And how would revocation - assuming such a thing exists and is possible - of a key result in permission to load the pre-bootloader being denied?

Dunno, I never said anything about revoking a key.
However one revokes permission by using the words "you no longer have permission"

Permission to load the bootloader is granted/denied by the UEFI firmware, which makes the decision based on whether the installed key matches that of the signed bootloader, so what you're saying makes absolutely no sense, it just demonstrates a fundamental misunderstanding of how secureboot works.

No, the boot loader only knows if the software being booted was signed by a key that is paired to a key stored in UEFI. It can't possibly know about a legal construct such as permission or about copyright law. All it "knows" is the math adds up on the bits it's looking at.

The misunderstanding here is completely on your part, which is obvious with the topics you keep bringing up.
You are speaking of technical measures. I am speaking of legal measures.

To give you an extreme example, assuming you own a car, you would have a key to that car.
The key is the technical measure that lets you in and keeps others out.
Ownership of that car however is a name on a piece of paper registered with the government.
If I had a friend who was a corrupt judge, those papers could easily be changed to assign ownership to me. Legally (at least for a very short time with that example) I could use that paper as proof your car is owned by me. But absolutely NONE of that paperwork however would suddenly make your key stop working.
You can go on and on about possessing the key all you want, but everyone I present that paper to would believe me over you, until other people in the legal system got things straightened out.

That is the difference between a legal matter and a technical matter. The two rarely have anything to do with each other.

Re:What about *BSD?

[exomondo]

Dunno, doesn't seem possible to me with the current state of hardware. Why do you ask?

Because the only way to remove permission for the bootloader to boot the OS is to revoke a key, you can tell me i don't have permission all you want, ain't gonna make a shit of difference though, you - like Microsoft - don't have any authority over that.

Seems a bit off topic, since I was discussing permission and not certificates or keys.

Seems you fail at reading comprehension on your own post, try reading it again then you won't look so foolish:
If Microsoft officially claims they have revoked the certificate and thus permission for the Linux preboot loader

Dunno, I never said anything about revoking a key.

You said 'certificate' as opposed to 'key', given there is no such 'certificate' i figured you meant 'key', if you'd like to explain what you meant by 'revoked the certificate' we can clear up that misunderstanding.
If Microsoft officially claims they have revoked the certificate and thus permission for the Linux preboot loader

However one revokes permission by using the words "you no longer have permission"

Wrong, they do not have control, they can say "you no longer have permission" all they want, makes no difference whatsoever as they have no authority.

No, the boot loader only knows if the software being booted was signed by a key that is paired to a key stored in UEFI. It can't possibly know about a legal construct such as permission or about copyright law.

It doesn't need to.

The misunderstanding here is completely on your part, which is obvious with the topics you keep bringing up.
You are speaking of technical measures. I am speaking of legal measures.

Of course I'm talking about technical measures, because the legal measures you suggest do not exist in this context. Microsoft doesn't have any power to dictate whether you have permission to boot an OS or not...I don't know why you think they do.

Re:What about *BSD?

[dissy]

Well now that you've decided to be all insulting for no good reason, I will too.

Because the only way to remove permission for the bootloader to boot the OS is to revoke a key, you can tell me i don't have permission all you want, ain't gonna make a shit of difference though, you - like Microsoft - don't have any authority over that.

Thank you for finally admitting I am right.

You do as you say, and don't give a shit like you say, then you are violating copyright and the DMCA. You're now a felon. Congrats!

I'll let You argue with the judges that have ruled and set precident that copyright holders can't dictate who can make a copy of their work, as well as argue with the judge that declared loading a program into ram is copying.

You are now openly stating you can and will violate copyright because there are no technical measures that will prevent you. You think because you won't get caught that it is still somehow magically legal.

I can only hope the EFF doesn't waste our collective money on your case.

Re:What about *BSD?

[exomondo]

You do as you say, and don't give a shit like you say, then you are violating copyright and the DMCA. You're now a felon. Congrats!

But the fact is in doing so you are not violating the DMCA. There is no law against booting Linux, and Microsoft telling you that you don't have permission doesn't change that, even if you so desperately want to bend yourself to Microsoft's will.

yay!

Yay! Now I can finally ask Microsoft for permission to boot my Linux machine! I've been eagerly awaiting this for years and years.

Oh, I can just disable in the EUFI, you say? Yes, I'm fully confident that situation will persist going into the future. Because that's how these things go.

Re:yay!

Or you could just load your own key.

Re:yay!

The UEFI guidelines say nothing about key management - an OEM can get certified just by having a option to wipe all the keys.

Re:yay!

[flimflammer]

You didn't need Microsoft's permission in the first place, and not because you could just disable secure boot.

Re:yay!

don't count on doing that on a oem uefi with functions not implemented or disabled

This is bollocks

[Skiron]

All the time Microsoft have control, they will always have control.

Why don't people LEARN from history from how they operate?

This will all go horribly wrong, mark my words.

And I still do not understand how Microsoft get to control this.

Re:This is bollocks

[EdZ]

And I still do not understand how Microsoft get to control this.

For anything x86 based; they don't. They expressly require OEMs (and onyone else producing motherboards with a little Windows 8 sticker on the box) to allow the end user to add their own Secure Boot keys, as well as insert Microsoft's key. No end-user modification, no certification.

So what are various Linux distros getting bootloaders signed by Microsoft? Because they assume users are not competent enough to enter keys manually. Thus, they ask Microsoft (or take advantage of the service Microsoft offers) to sign their bootloader with Microsoft's preloaded key.

Re:This is bollocks

[darkHanzz]

And I still do not understand how Microsoft get to control this.

They talk directly to manufacturers, since windows is still installed by default. So the swing they have on the whole laptop market just became a bit more visible, it's always been there, however.

Re:This is bollocks

[Skiron]

But turn the bloody thing on anyway?

Microsoft must demand that, and also the options to disallow users to turn it off - and the OEM's somehow follow like sheep.

Surely if you put a pre-installed MS OS on the thing, turn it ON. But at least let the tech-savvy be allowed to turn it off to allow installation of anything else they wish to do.

I mean, the USER actually owns the machine, not Microsoft.

Re:This is bollocks

[Sarten-X]

It's not an issue of "competent". It's an issue of "willing".

A major source of Linux's desktop growth is the use of live CDs. Just drop in a disk at boot, and you've got yourself a working Linux desktop to play with and perhaps even like. You can see the filesystem's different layout, you can see each application's settings saved to plain old files, and you can see the package manager's simple installation of useful software. Perhaps you can even like it and decide to install. If not, there's no changes to your computer.

That's all changed now. Now, either you your computer must be prepared for Linux first, through some means of adding a new key. While not really beyond the average user's level of competence, it is beyond their level of ambition just to try "that Linux thing". The longstanding promise of "try it without changing anything" that has fueled trials isn't wholly true any more. Supposedly Windows' bootloader will let you boot unsigned CDs, but I've tried that three times with three failures on known-good disks, so I expect there's something screwey hidden in that route, and that doesn't really solve the problem of booting once the installation's complete.

To make matters worse, there's no standard mechanism for adding the boot key. One option is an BIOS-based tool, which with come with the typical polish of a motherboard manufacturer we've had on BIOS setups for years. Expect a keyboard-based menu with unique brand-specific names. Another option that might be viable in the future is a Windows tool to add a key, which will inspire Windows to raise scary warnings about compromising security and never starting again, which will do wonders for the user's confidence.

Microsoft surely knows that Secure Boot won't affect savvy nerds from converting to Linux. They also surely know that Linux is still growing organically, relying on word-of-mouth and firsthand try-before-you-buy experience. By requiring Secure Boot to be user-modifiable, they've thrown a roadblock in the path for Linux's growth, without looking like they're being blatantly nasty. They can keep exaggerating the threat of bootloader rootkits to justify locking everybody out, then point to the key-adding ability to dispel accusations of abusing their monopoly.

Re:This is bollocks

[EdZ]

Not only can you turn Secure Boot off (and add your own keys to the bootloader) for x86 devices, the end user MUST be able to do so in order to gain Windows 8 certification. No end-user configuration, no shiny windows sticker on the box (or windows pre-installation in the case of OEM systems).

Re:This is bollocks

[RobbieThe1st]

No, MS owns it. You should be paying them your monthly fee.

Re:This is bollocks

[SuricouRaven]

Would you check the details on that? As I understood it, and I might be wrong, the Microsoft standard doesn't require OEMs provide the ability for the end user to add their own keys - that's up to the OEM. What it does do is require the OEMs provide the user with the option to disable secure boot entirely, and that this can only by done by someone physically present at the machine (The 'press F1 to enter setup' program).

Re:This is bollocks

[SuricouRaven]

The margin on most PCs is razor-thin. If they were required to buy a full Windows license, the cost of the machine to manufacture would shoot up by a hundred dollars. Microsoft provides heavily-discounted OEM edition licenses to OEMs, which they simply cannot do without: No OEM licenses, no business. So when Microsoft sets standards for that 'designed for Windows 8' sticker and the license discount that comes with it, OEMs have no option but to meet those standards. This gives MS the power to dictate a sweeping change. Sometimes something major, others something trivial like mandating an extra button on the keyboard.

Re:This is bollocks

[EdZ]

From the horse's mouth itself (the Windows 8 certification guidelines, specifically System.Fundamentals.Firmware.UEFISecureBoot para.17):

Mandatory. On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following: It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx), which puts the system into setup mode.

Separately (Para.18):

Mandatory. Enable/Disable Secure Boot. On non-ARM systems, it is required to implement the ability to disable Secure Boot via firmware setup. A physically present user must be allowed to disable Secure Boot via firmware setup without possession of PKpriv.

Re:This is bollocks

[0123456]

For anything x86 based; they don't. They expressly require OEMs (and onyone else producing motherboards with a little Windows 8 sticker on the box) to allow the end user to add their own Secure Boot keys, as well as insert Microsoft's key. No end-user modification, no certification.

Well, duh.

They have to do that in order to get Windows Boot in the door, then with Window 9 or 10 they require that it can't be turned off.

Oh, sorry, I forgot, the slippery slope is a logical fallacy so Microsoft would never, ever do such a thing. Can't happen.

Re:This is bollocks

[jones_supa]

Wait, what? If that's the case, how are we having these problems with Linux then?

Re:This is bollocks

[robsku]

Too bad I don't have mod points to +1 you - or -1 the bollocks you got as a result. Anyone claiming total UEFI lockdown on ARM is for security and has nada to do with blocking OtherOS is deluded - and anyone thinking MS wouldn't love to do just that with x86 but took slightly more moderate route because they are a monopoly at x86 desktop, and it would just be nasty for them if they had gone that way, is deluded.

What you describe is what's happening with the plan they had to settle with.

Re:This is bollocks

[robsku]

for x86 devices

*yawn*

Re:This is bollocks

[ais523]

Because being able to turn it off doesn't necessarily mean you know how to do so. (It's likely to be buried in a settings menu during the boot process.) Just putting a CD in the drive and choosing "install", like you used to be able to do, won't work unless you reconfigure the UEFI first. So it's adding a bunch of extra steps to try out a new OS.

Re:This is bollocks

[Burz]

And I still do not understand how Microsoft get to control this.

It seems like MS took the initiative on this, while the Linux camp assumed their users would expertly guard their systems and wouldn't have a need for runtime code signing. But most computer users aren't experts, and even many experts would rather have the code they run automatically verified by signatures, too, if its available.

But I don't understand why the Linux Foundation expects their OS to be an exception to secure boot (or something like it)... and that's what this signed pre-bootloader is, an exception that is being granted for people who want to run Linux (which will now cause Linux desktops to be associated with a big, scary boot-time message saying something to the effect of "this OS might not be secure").

Ultimately I think we'll see one or two distros like Ubuntu cut deals with vendors like Dell to have an Ubuntu-specific cert pre-installed on certain models.

Re:This is bollocks

MS sucks shitty rocks. I tried to install linux on a friends new computer (preinstalled w8) and there was no way - even if I went into the bios and disabled secure boot - so disabling it is only a ploy. She couldn't handle all the adware and complete shit and spam storm from windows and norton and all that - makes me mad just thinking about all the crapware you see on other peoples computers!

Re:This is bollocks

[westlake]

And I still do not understand how Microsoft get to control this.

Secure Boot became part of the UEFI spec in 2008-2009. (Rev 2.2)

The spec is managed by the UEFI Forum --- representing AMD, American Megatrends, Apple, Dell, HP, IBM, Insyde Software, Intel, Lenovo, Microsoft, and Phoenix Technologies. Unified EFI Forum

The Linux Foundation posted a "Power Point" presentation in October 2011: Making UEFI Secure Boot Work With Open Platforms

It comes down to this:

To successfully implement hardware level security in a mass market consumer product, it has to be enabled by default. The geek knows this is true, even if he doesn't like the implications.

Microsoft isn't going to yield on this point ---

and the geek has no leverage.

The OEM market for the x86 UEFI motherboard is OSX and Windows.

Re:This is bollocks

This only says a user must be able to modify the signature databases using a mechanism that can be as simple as erasing all of them.

Can you please point us to where it is specifically stated that a user must be able to add their own keys?

Re:This is bollocks

[mjg59]

"Setup mode" is part of the UEFI specification. You can add any keys you want to while you're in it.

Re:This is bollocks

[Sarten-X]

That's almost exactly what I had with the first of the three failures I mentioned. A friend bought a Win8 laptop (Toshiba something), and hated that she couldn't be viewing more than one program at once with the new interface, so she got pissed and wanted to go fully to Linux. I disabled Secure Boot, and tried to boot from the CD, both with the BIOS and through the Windows loader... neither would do anything useful with the disk.

Re:This is bollocks

[kestasjk]

Because people are getting in a huge state over nothing.. The fear is that Microsoft will then remove the ability to turn it off later (despite the fact it would be inviting a massive anti-competition lawsuit)

Re:This is bollocks

[shutdown+-p+now]

And who cares about ARM devices running Windows? They're a minuscule part of the market, likely to remain that way - and people who bought them hardly did so to install Linux on them. If you want to have a large number of ARM devices with unlocked bootloaders, the logical place to start would be bringing up the issue with Apple and Samsung.

Re:This is bollocks

[robsku]

Mostly true and/or agree, but - just for example - every ARM system in future which is of no use but could be repurposed by someone if it only had unlocked bootloader is a sad failure and wrong on more than one level.
Or if the version of windows install it has is messed and all you'd need was re-install but the version isn't supported anymore... or... you keep on.

The fact is that in the end of Win ARM devices use a number of them will have possible other uses they could be useful for, but unless the lock-in can be broken they will be just bricks - only worse as waste.

Re:This is bollocks

[strikethree]

Are you a moron or a shill? Sure, Secure Boot is required to have a method of disabling for Windows 8... but what about Windows 9? Windows 10? Is your righteous indignation going to allow everyone to turn off Secure Boot then?

Will dell systems be able to use this or will MS t

[Joe_Dragon]

Will dell systems be able to use this or will MS try to block this on dell that they now own a part of?

Re:Will dell systems be able to use this or will M

[Skiron]

MS don't own Dell yet. But that is irrelevant - they can change the rules any time they want too {embrace period}

Does SecureBoot force you to also use EFI?

[tstrunk]

If your mainboard requires you to use SecureBoot, does this mean you are also forced to boot using EFI instead of some legacy BIOS fallback?

I did not have the best experiences with using EFI in actual EFI mode and not some BIOS fallback mode. My laptop (a eeePC 1215B) refused to boot the windows install in EFI mode and had some wifi problems on Linux; everything works perfectly in BIOS land); I had similar experiences with a Lenovo S205 of a colleague.

Hopefully this one is/can be promptless

[sethstorm]

Requiring a prompt does cripple the bootloader when compared to others that are somehow exempt from it.

Re:Hopefully this one is/can be promptless

[Microlith]

It can't be promptless. The only ones that can be promptless are ones that assert a check on the kernel being loaded.

So where does Win8 / Ubuntu dual boot stand now ?

Now that this has been achieved, whats the status of Win8 / Ubuntu dual boot via Wubi installer ?
What is the current procedure to get this set up ?

Samsung laptops?

I've heard somewhere that trying to override UEFI bricks some Samsung laptops. Anything about this?

I think that it could depend on manufacturers correctly implementing UEFA. You can always depend on bugs. Remember "THERE ALWAYS IS ANOTHER BUG" that you have not discovered yet.

Re:Samsung laptops?

[Truekaiser]

Personally I don't think that was a bug. But a feature that was released a 'bit' too early.
If you have the money, i say stockpile some non uefi motherboards, either to sell later at many times the price you bought them when their value goes up to those who use non window's os's. or for you to use when stuff dies.

Re:Samsung laptops?

trying to override UEFI bricks some Samsung laptops

Not quite, turns out using UEFI in some Samsung laptops can brick them either at boot or from user space application. Note if you're using a Samsung Chromebook that uses a combination of Coreboot & U-Boot, so UEFI bugs don't happen.

Instead of giving Microsoft's ass the boot

[Mister+Liberty]

they now offer theirs...

--
    Linux user since 1991

Great! Now let's boycott it.

[UltraZelda64]

Seriously, when Microsoft is paid for the key and they own the key into our computers, we've lost. Simple solution: Avoid ARM-based machines as long as Microsoft requires that no way exists to disable Secure Boot. By buying into this shit, we're just setting ourselves up to be fucked in the ass by Microsoft. I can't say anything good about the Linux Foundation for playing ball with these assholes either. Pre-bootloader, my ass--more like pre-pre-boot-extra-complexity-nightmare, thanks to Microsoft. Having to use this would be a disgrace; that alone should be enough to get people to buy more compatible hardware (but won't be).

Re:Great! Now let's boycott it.

[Microlith]

This does nothing for ARM machines. Microsoft won't sign anything other than their own software to boot on certified Windows RT devices.

Re:Great! Now let's boycott it.

I agree. Also, doesn't this mean that Microsoft has the power to disable alll the linux machines that have this pre-boot loader (that use keys provided by MS)?

Re:Great! Now let's boycott it.

[corvax]

yes if the key becomes "comprimised" they could lock you out.

Re:Great! Now let's boycott it.

[Kjella]

Seriously, when Microsoft is paid for the key and they own the key into our computers, we've lost. Simple solution: Avoid ARM-based machines as long as Microsoft requires that no way exists to disable Secure Boot.

Uhh this isn't about ARM, Microsoft doesn't allow any third party OS on their ARM machines period. This is if you want any x86 machine shipping with Windows 8 and the "Designed for Windows 8" label to boot any other OS without finding the obscure and non-standard way to disable Secure Boot in UEFI (the new BIOS). At least in this incarnation you can always disable it yourself (again, only on x86), but I smell a Darth Vader quote coming as in "I'm altering the deal. Pray that I do not alter it further." But there's really no way to boycott Secure Boot without boycotting all machines with Win8 preinstalled, which has a snowball's chance in hell of working. What you'd really want is Linux preinstalled laptops, but they're still very few and far between. Desktops are less of an issue because you can always build from parts, or have one built for you.

Re:Great! Now let's boycott it.

[UltraZelda64]

Clarification: Windows plus ARM. I could have sworn that after all the times I typed Microsoft the point would be clear, but apparently not. I did not intend to point all the blame on ARM, which again leads back to why my wording was focused so much on Microsoft. People still seem to fail to get the point.

As it is, the most we can do is not buy computers that meet both of these specifications: Windows RT running on an ARM processor. By doing so we are effectively surrendering and increasing their (again, Microsoft's) power to further destroy our freedom in the future. That does still leave x86 machines, which even if they do come with Windows 8, at least you are not anchored and forced with a knife to your throat to use it. Not yet, anyway--just wait for Windows 9 or 10 for that. But at least you *can* still order some machines with Linux or no OS installed; as you said, there's just not many choices and no one's ever heard of any of them.

I agree that in the end avoiding Windows completely is the way to go, but let's face reality here: that's just not gonna happen. As you even stated yourself, it pretty much has "a snowball's chance in hell" of ever happening. But a potentially-emerging market like more general purpose ARM-based machines becoming locked down by Microsoft, there is a chance that something can be done before it gets too bad and then seeps over to the x86 side. Hell, they've already shot themselves in the foot by disallowing all third-party developers from releasing ARM applications for the traditional desktop. Just tack this on as yet another reason to avoid Windows RT.

Microsoft is attempting one of the absolute worst things that it can possibly do: lock everything else out in a brand-new market of computers before it even has the chance to mature. Pretty fucking arrogant, considering they don't even own the rights to the processor.

Re:Great! Now let's boycott it.

[kestasjk]

As it is, the most we can do is not buy computers that meet both of these specifications: Windows RT running on an ARM processor. By doing so we are effectively surrendering and increasing their (again, Microsoft's) power to further destroy our freedom in the future

It's the same deal with iOS isn't it? Even with Android phones you need to work to root them. Same thing for Tivos, TVs, consumer linux routers, etc; the device and software are sold as a single package. Hardly a new evil Microsoft thing, and not even controversial outside of the FSF.

But I agree 100% that if you don't like it don't buy it.

Re:Great! Now let's boycott it.

[UltraZelda64]

It's somewhat "new" for Microsoft and the main line of Windows though. DOS and the original Windows line for x86 has traditionally never been this locked down. Microsoft makes it big with an open architecture, then locks down heavily the first chance they get of getting on a new processor. What good is a processor if it will only run code that the OS' author says it can?

Re:only

[K.+S.+Kyosuke]

That sort of doesn't make sense, the kernel is in full control of the whole physical memory, and once you boot the kernel, it's perfectly free to recreate its state and that of all running processes.

Re:only

[Rockoon]

You sort of dont know how hibernate works.

HATE

I'll never by this crapware, I can live with UEFI, what is neat is booting from file-system instead of MBR ... but did we really need UEFI for this ?!?
They could have well used http://www.coreboot.org/Welcome_to_coreboot ... less bugs ... less code ... less money wasted.

But I'l never buy a device that has a mandatory boot-lock in it (or sell) (if such devices exist)
But we are a minority ... of cours as "experts" we could badmouth them ...

Anti-Trust

http://blog.hansenpartnership.com/linux-foundation-secure-boot-system-released/#comment-4096
"Why Microsoft is allowed to use its relationships to OEMs in this way seems to fly in the face of anti-trust law and the latter circumstance is what is objectionable and should be pursued."

Enough is enough

[benjymouse]

Microsoft surely knows that Secure Boot won't affect savvy nerds from converting to Linux. They also surely know that Linux is still growing organically, relying on word-of-mouth and firsthand try-before-you-buy experience.

You are seriously delusional. "Converting" to Linux is not, has never been and will never become a threat to Microsoft. Right now Microsoft is pressured on other fronts, such as desktop PC losing relevance, not being on the boat on mobile and not competing effectively in the tablet game.

You are trying to wage last decades battle. Microsoft does not feel threatened by Linux on the desktop *at* *all*. Get real. The threats to Microsoft do not come from conversions in the x86 space, the come from vertical players and mobile, like Chromebooks, tablets, smartphones.

Note how *all* of these emerging platforms have more restricted app models, and especially *boot* models. Microsoft is simply evolving their primary platform to match the features and security (from closed and semi-closed gardens) of the threatening platforms.

The threat to Microsofts desktop business is *not* Linux. Even though Linux has evolved in that space and on the surface appears to be able to go head-to-head, Microsoft Windows is still *much* more mature than any desktop Linux. Consider for instance group policies, restart manager, volume shadow service, various troubleshooting guides, shims for both application and device compatibility etc. The real threat is that the desktop become irrelevant.

If the desktop is perceived as less secure than an online counterpart, Microsoft will be losing. They *need* to ensure secure boot. It is not a anti-Linux move at all. You are flattering yourself. And being stupid.

Re:Enough is enough

[corvax]

Even if it wasnt intentional (i doubt it) what this does do is make it just a little bit harder to install linux. And makes microsoft the gatekeeper of YOUR hardware. What happens to ALOT of old windows pc's? They get linux installed on them to give them a few more years of usefulness = a loss of revenue for microsoft. Even if it is a small percentage its not enough microsoft would be much happier if the percentage was ZERO......

Re:Enough is enough

Microsoft isn't threatened by smartphones, tablets, netbooks, or chromebooks

There is no room for expansion in the the market they own (PC OS and Office sales). The 1st world doesn't have any more people left who want/or can afford the products they make money off.

They have to look elsewhere for it now and they aren't in that race. That might scare them. However not being in that race doesn't necessarily mean they are losing anything of value. If they make $0 from licensing for these new devices it doesn't make them money. If they have tapped other spaces (like how Google has tapped advertising) it won't make them money either.

Re:Enough is enough

I agree with most of your points, however I feel Microsoft is its own biggest threat. Them fucking around with all sorts of shit in Windows is going to drive people away. I number of changes since WinXP have irritated me, but I have stuck with Windows until now.

I recently bought a new laptop (Lenovo x230). I upgraded the storage myself - to use an mSATA SSD for the operating systems. After spending hours trying to get Win8 installed (no OS DVD provided) I gave up, it was the last straw. The UEFI stuff was a pain in the ass, but managed to get Arch Linux up and running comapartively easily.

I have been tinkering with Linux for a number of years, but it finally took Windows 8 to drive me to Linux full time & I couldn't be happier. This is the first computer I have owned without Windows installed on any partition - it was nerve-wracking at first, but now wish I had made the move sooner.

Re:Enough is enough

Your the one who is delusional notice the hardware vendors dont offer motherboards without it at my choosing because who would buy this.
 

Re:Enough is enough

This might just backfire on them when all the nerds like me buy from China and make our own machines like we mostly do anyway and not ever purchase a secure boot machine at best or worst buy. and other see you can only do the three for os muli boot on cool machines like mine you just might be ass out.

Re:Enough is enough

[rescendent]

What happens to ALOT of old windows pc's? They get linux installed on them to give them a few more years of usefulness = a loss of revenue for microsoft.

The old windows pcs are already paid up with the windows software, where is the revenue that MS would be getting from them if they didn't have linux on?

Re:Enough is enough

[nzac]

Consider for instance group policies, restart manager, volume shadow service, various troubleshooting guides, shims for both application and device compatibility

I don't think Linux has a nice "clicky" interface to any of these things but to suggest that it does not have solid equivalents to the first 3 (the rest appear to assume Linux has the same problems as Windows).
Group polices are probably difficult to fully replicate on Linux but its due to flaws in windows that it even needs a restart manager. Maybe SSV is more permission friendly than LVM also.
You are just another windows user who assumes that a proper OS should function the same Windows. There are better lists than this for things Linux is missing on the desktop but the one is the lack of third party applications.

Re:Enough is enough

[ais523]

Presumably in the Microsoft Tax on the new computers that would otherwise be bought to replace them.

Re:Enough is enough

[AmiMoJo]

Note how *all* of these emerging platforms have more restricted app models, and especially *boot* models.

Chromebooks will boot anything you like, including Linux and Windows. Android devices from Google have unlocked bootloaders that will boot anything, including Ubuntu for phones, and the OS itself allows installation of apps from any source without any signing requirement at all.

Android is also the most popular mobile OS. Google learned the lessons from history that others did not: the most open platform usually wins. Betamax vs. VHS. MiniDisc vs. CD-R. MemoryStick vs. SD card. Amiga/Atari/Sinclair/Amstrad vs. IBM PC clones. Proprietary Unix vs. Linux/BSD. Windows RT is doomed to failure by nature of being too closed an ecosystem.

Re:Enough is enough

[epyT-R]

Sounds like to me you're just using windows as an 'objective' barometer to measure capability.

1. restart manager? proper business systems only need to be restarted when absolutely necessary.. needing a 'manager' to handle it suggests inferior design, not superior. It's truly amazing what a process microsoft has made out of copying files from an archive to directories on the system drive.
2. group policies? Ever heard of LDAP? I believe microsoft's embrace/extend name for that is called active directory. both are a pain to set up and have problems.
3. volume shadow? LVM works just as well here, along with device mapper, dd and other io tools. Any unix released in the last 15 years kicks the crap out of microsoft in storage volume management.
4. trouble shooting? are you kidding? technet is a pile of verbose nonsense that tries so hard to say as little as possible about your system. it's at best, a faq.

Re:Enough is enough

[serviscope_minor]

What are these group policies that Linux can't replicate? I'm curious: I looked it up on google, but the descriptions are fairly high level and seems like they'd translate reasonably well.

Also, a restart manager?

Re:Enough is enough

[nzac]

What are these group policies that Linux can't replicate? I'm curious: I looked it up on google, but the descriptions are fairly high level and seems like they'd translate reasonably well.

I said difficult, not that you could not. There's probably some context based permissions that benjy is referring to.

Restart Manager is and installer api for restarting services while updating files to prevent restarting the whole OS. Linux deb/rpm installers can just call syscontrol and restart the service using the same call as the user.

Re:Enough is enough

linus _used to_ have excellent interfaces. Then the desktop guys decided to rip everything to shreds. Now we have Gnome 3.

Gnome 3 could have been just like Gnome 2, but better, with gobject-introspection enabling the user to find out exactly what's going on at all times, and with the option of getting rid of the menubars and having a tablet interface. Instead, it's shit.

Re:Enough is enough

Well color me shocked, another Windows shill spouting bad evidence, making bad conclusions with it, and getting moderated up for taking the time to type in a complete wall of bullshit. You get an E for effort I guess.

I'm still wondering...

[QuietLagoon]

... why Microsoft is the gatekeeper for what OS's are allowed to boot on the computers I buy.

Re:I'm still wondering...

[BradleyUffner]

... why Microsoft is the gatekeeper for what OS's are allowed to boot on the computers I buy.

They are A gatekeeper, not THE gatekeeper. In order to get a motherboard certified it is required that the user be able to enter their own keys.

Re:I'm still wondering...

[bmo]

In order to get a motherboard certified it is required that the user be able to enter their own keys.

Except on ARM devices certified for Win8. At which time they are the single gatekeeper.

Fuck Microsoft.

--
BMO

Re:I'm still wondering...

[blauregen]

Mr. Garrett had the following to say on this topic here: http://mjg59.dreamwidth.org/12368.html

An alternative was producing some sort of overall Linux key. It turns out that this is also difficult, since it would mean finding an entity who was willing to take responsibility for managing signing or key distribution. That means having the ability to keep the root key absolutely secure and perform adequate validation of people asking for signing. That's expensive. Like millions of dollars expensive. It would also take a lot of time to set up, and that's not really time we had. And, finally, nobody was jumping at the opportunity to volunteer. So no generic Linux key.

Re:I'm still wondering...

Because you fools are buying Windows machines.

Re:I'm still wondering...

Fuck Microsoft.

Up the ass. With a red hot poker.

Re:I'm still wondering...

[BradleyUffner]

In order to get a motherboard certified it is required that the user be able to enter their own keys.

Except on ARM devices certified for Win8. At which time they are the single gatekeeper.

Fuck Microsoft.

--
BMO

Maybe if this story was about ARM you would have a point.

Re:I'm still wondering...

[bmo]

You softies are fucking ridiculous.

Honestly.

--
BMO

Re:I'm still wondering...

1. Because manufacturers want to have a "Windows 8" sticker on their box.
2. Even if manufacturers don't care about the sticker, they'll want to add Microsoft's key anyway because it's what virtually everyone uses. It's much less hassle to install the key than to tie up support lines from users who don't understand how to add Microsoft's key manually.

That's basically it.

Re:I'm still wondering...

When the industry tries to introduce security via certificates which use a central authority, and OpenSource OSes are distributed by design, conflicts occur.

There is absolutely nothing stopping Linux/BSD/etc from using secure boot in the same way Windows uses it, except that Opensource is too dysfunctional to understand how CAs work and how business relations work.

Re:I'm still wondering...

[kestasjk]

Did you know Apple are "the single gatekeeper" for what runs on iPhones? Isn't that outrageous? And I when I discovered I can't run QNX on my Nintendo Wii I was just furious.. It's almost like they're not selling these devices as general purpose computers!

Re:I'm still wondering...

And you FOSS zealots are delightfully hilarious. Go fuck yourself, BMO. Better yet, call Stallman and ask him to ram his "freedom meat" right up your poophole.

Re:I'm still wondering...

Nice try. The issue is that -any- architecture should not have a single gatekeeper! ARM is becoming more and more ubiquitous, Microsoft damn well knows that. Otherwise, why the special clause making UEFI mandatory for ARM? You're being disingenuous by pretending not to see the obvious here.

Re:I'm still wondering...

Uh.. no one else currently makes iOS hardware. This is different -- many 3rd-party manufacturers, with Microsoft usurping control over the boot procedure for -- again -- 3rd party hardware. Can you understand the essential difference here?

Re:I'm still wondering...

[kestasjk]

No, I don't understand the difference. Suppose Apple allowed another company to make iPhone hardware, so long as it met the specifications and they paid Apple appropriately; why would Apple then have to allow people to dual-boot?

Currently Apple have alternative suppliers for the components that go into the iPhones, but they are the ones who ultimately do the packaging and shipping. Are you saying that if Microsoft did the packaging and shipping it would be okay for them to ban dual-booting? Are you saying that it's no problem for them to do it for the Microsoft Surface, which they do package and ship?

Re:So where does Win8 / Ubuntu dual boot stand now

[corychristison]

Install Ubuntu and run Windows under VirtualBox, or vice versa if you're a gamer.

I honestly don't understand why anyone dual boots anymore. I just seems inconvenient, in my opinion.

Re:So where does Win8 / Ubuntu dual boot stand now

[cpghost]

I honestly don't understand why anyone dual boots anymore. I just seems inconvenient, in my opinion.

You've never used a Hypervisor, have you?

Re:only

[K.+S.+Kyosuke]

Then enlighten me, oh exalted one!

Re:only

[SuricouRaven]

True. Except that it can be used to bypass secure boot:
1. Boot secure OS.
2. Hack it, get root.
3. Write hibernate image to the drive containing your hacked kernel, which includes disabling of the code to delete the image after use.
4. Trigger reboot.
5. Pwnage.

It'd take some very impressive skill to do that - it isn't something you could just make a script-kiddie toolbox for. The only way to prevent this is for the kernel to use TPM hardware to sign the boot image. As this isn't yet an option, it's debated if Secure Boot linux should also disable hibernation, in order to be strictly compliant, even though it introduces much user annoyance to provide protection against an attack that would be near-impossible for even the best hacker to pull off.

Re:So where does Win8 / Ubuntu dual boot stand now

Virtualbox is a hypervisor. Unless you ment a bare-metal hypervisor, but if you did I"m sure you would have indicated that as apparently you know a lot about what is and isn't a hypervisor.

Re:So where does Win8 / Ubuntu dual boot stand now

[SuricouRaven]

Some things need low-level hardware access to work that a VM can't do. Try running a triple-headed accelerated monitor setup from a VM. No easy thing. There's also a substantial memory overhead in virtualisation - if you've only got a laptop with a gig or two of ram, then you can't afford to throw 500MB of that away holding Windows in memory to host your Linux VM or vice versa.

why rely on microsoft

[corvax]

Why not our own key signing cert? Myself and many others would gladly pay to help run such a service for the community. Why hand the litereal keys to the kingdom to the very person whos been trying to destroy you for years?

Re:why rely on microsoft

[0123456]

Because then you have to convince every motherboard manufacturer to install your key too.

Re:why rely on microsoft

[corvax]

Yes and thats what the linux foundation should be doing! Thats their job!

Re:why rely on microsoft

[fikx]

The problem is even if they "do their job" how much can they do? Microsoft has the advantage of motherboard makers coming to THEM to get a key. On the other hand the Linux Foundation would have to seek out Motherboard makers large and small and convince them to add their key. It's not do-able to get all of them to agree even with unlimited time and energy.
The issue is, what keys come with the motherboard. for now, Microsoft guaranteed. So, the obvious short term solution (although problems like everyone has mentioned) is to ask nicely to use one of the keys that is already going to be on the board. Just not a long term solution, but at lest it lets us continue to have the option of booting Linux in some form without bypassing the boot security (as some have described it: without having to prepare, using MB maker's inconsistent and buggy tools and methods ). And booting demo/live disks relies on not preparing the MB before booting (at least for a lot of uses for live CD's)

Its NOT Microsoft

[ArchieBunker]

Nobody ever brings this up but me. Guess who else is in the UEFI group?

AMD, American Megatrends, Apple, Dell, HP, IBM, Insyde Software, Intel, Lenovo, Microsoft, and Phoenix Technologies

Re:Its NOT Microsoft

UEFI is not "secure boot". And "secure boot" is Micro$oft.

So now you know why nobody ever brings this up but you...

Re:Its NOT Microsoft

UEFI 2.2 spec includes secure boot, ergo, secure boot is a part of UEFI.

Secure boot is not Microsoft specific.

If Red Hat so desired they could implement their own PK and certify hardware from vendors in the same way that Microsoft does.

As usual ./ is allergic to facts and will continue the group-think despite the facts.

*sigh*

[ArchieBunker]

To quote Wikipedia "The board of directors includes representatives from eleven "Promoter" companies: AMD, American Megatrends, Apple, Dell, HP, IBM, Insyde Software, Intel, Lenovo, Microsoft, and Phoenix Technologies."

No its not just Microsoft.

Re:*sigh*

Is this not equivalent to price fixing? Monopoly by committee?

this is /.

This is /. so nobody cares who else may be part of UEFI.
All that matters is blaming Microsoft and praising Apple.

Re:this is /.

All that matters is blaming Microsoft and telling Apple to go fuck its fine shiny Day-Glo self and the horse it rode in on.

TFTFY.

Re:Will dell systems be able to use this or will M

[gtall]

In a sense, they do not own a piece of Dell. From what I understand, they contributed some dough as a loan and I have not heard they will have anyone on the board. Dell cannot live on the desktop market, in the server market they cannot ignore Linux.

This doesn't stop MS from using its usual bag of dirty tricks, but if Dell has any sense and balls, he'll keep MS away from actually running the business.

Re:So where does Win8 / Ubuntu dual boot stand now

[corychristison]

2-3 days a week, actually. Gentoo/Funtoo host and various guests.

Having to reboot my system to use another OS is inconvenient.

So, other than anticompetition...

[epp_b]

Whatever was the problem with the standard BIOS that we've had for decades? Having the PC's most "hardware-near" firmware locked down only to run code permitted by a third party seems like an extremely bad idea. The whole point of a computer is that it obeys MY instructions blindly and perfectly.

I know, I've heard the argument for security, but has anyone ever even seen real, actual BIOS malware? As far as I'm concerned, that only exists in theory.

Re:So, other than anticompetition...

[blauregen]

As I understood it, the reason for uefi was being able to boot from big harddisks, having prettier hardware-setting-screens, having a builtin network stack for remote maintenance, and so on. It is questionable whether it was necessary to specify pretty much a complete operating system including cli, just to run another OS, and the recent samsung brick fun, is a good hint that manufacturers will need a few years to iron even the bigger kinks out of their implementation, but uefi itself is in theory not without merits.

The reason for secure boot isn't bios-malware, but boot malware. There are a few of those around, as far as I know. The problem with boot-rootkits would be that they can play hypervisor to your OS, which hides them perfectly from software running under it. The idea with trusted boot, again as far as I understood, would be to have a trusted bootloader, which loads a trusted kernel, which in turn loads trusted drivers and trusted applications, the trust being conveyed by signatures.

Only... you have to start at the bottom, which is the bootloader, if you aim for such a chain of trust.

Re:So where does Win8 / Ubuntu dual boot stand now

[corychristison]

In what situation would you need hardware accelerated access to two operating systems? Choose a host OS you use most and boot up your Guest OS on ome of those displays. Honestly I've never seen the value in multiple monitors. On linux we have Virtual Desktops for a reason.

Also I don't know anyone who would ever need to dual boot on a system with only 1GB of RAM. And if they did it was for gaming, and they wouldn't be limited by RAM as thry would have adequate hardware. And again, if they are gamers on a laptop, why the hell are they dual booting? Just spin up an OS under VirtualBox or similar ona Windows host.

I still fail to see any legitimate reason to dual boot in 2013.

Re:only

[osu-neko]

True. Except that it can be used to bypass secure boot:
1. Boot secure OS.

Easy, assuming Microsoft operating systems are defined as a "secure OS", which they are for purposes of secure boot, despite all evidence to the contrary.

2. Hack it, get root.

Easy, assuming a Microsoft OS again...

3. Write hibernate image to the drive containing your hacked kernel, which includes disabling of the code to delete the image after use.

No need to disable such. Once you're at the stage of "waking" into a hacked kernel to boot, you can just write a new image each reboot, becoming how you always boot from then on. In any case, the only real trick here, regardless of which way you decide to handle reboots, is writing a hibernate image and hacking the on-disk kernel in the image. Is this really any more difficult than hacking a kernel in memory? Indeed, isn't it easier?

4. Trigger reboot.

Yup... trivial... once you get past step 3, the machine is pwnt...

It'd take some very impressive skill to do that - it isn't something you could just make a script-kiddie toolbox for.

Anything that you can do, you can make a script-kiddie toolbox for. The person who makes the toolbox obviously has more impressive skills than a script-kiddie, but that's pretty much always the case. This is not the easiest hack in the world, but I would say calling this "near-impossible" is extreme hyperbole.

Re:only

[K.+S.+Kyosuke]

True. Except that it can be used to bypass secure boot: 1. Boot secure OS. 2. Hack it, get root.

Why exactly have you included steps 3 and 4? The way I see it, you can jump from 2 straight to 5!

Re:So where does Win8 / Ubuntu dual boot stand now

[Rockoon]

Honestly I've never seen the value in multiple monitors.

Everyone stopped reading right here. Seriously.

More pixels for less money than single monitor solutions. You were talking about value, right? Then why is it that you didnt even try the value calculation?

Re:only

[benjymouse]

Why exactly have you included steps 3 and 4? The way I see it, you can jump from 2 straight to 5!

rootkit.

Absurd!

Having to get, what amounts to approval, from Microsoft to run linux on new hardware.

Sorry, but this is fucking disgusting!

and everything old is new again

[Burz]

I noticed you mentioned Chromebooks...

Those are x86 systems based on Linux (though not really a "Linux distro" thank goodness). ChromeOS is really starting to gain traction now, and it could reinvent the PC the way iOS/Android reinvented the smartphone and tablet.

The important thing about ChromeOS and Android and the moribund Linux desktop distro class is not that they use Linux or FOSS but that they are things that MS doesn't own, yet they can run on standard x86 hardware. The issue is whether any non-MS OS will be a hassle to install on a PC.

I think both you and the grandparent are being myopic about the Linux distro issue. Yes, the slipshod distro scene is almost laughable as a threat against Windows on the desktop. But that is not the only type of alternative and Google-backed stuff is quite credible. There ought to be a Godwin's law for PCs: Someone in a discussion about computers is bound to fixate inappropriately on desktop Linux.

Re:and everything old is new again

[epyT-R]

ChromeOS is really starting to gain traction now, and it could reinvent the PC the way iOS/Android reinvented the smartphone and tablet.

Yeah just what users who need desktops want: a system where all the software is a remote connection away from failure/locked in upgrade treadmills, and whose functionality can change any time.

If the choice becomes chromeOS or a tablet, I'm done with computing.

Re:only

[kwark]

You do know that s2disk supports encryption?
man s2disk:
" The uswsusp system supports encrypting the image written to disk and features a splash system, see uswsusp.conf(8) for more information"

              encrypt
                      If the "encrypt" parameter is set to 'y', the s2disk and resume tools will use the Blowfish encryption algorithm to encrypt/decrypt the image. On resume and suspend
                      you will have to supply a passphrase. By using a pregenerated RSA key, you can avoid having to type a passphrase on suspend. See the "RSA key file" option for more
                      information.

man uswsusp.conf
" RSA key file
                      If this option points to a valid RSA key, which can be created with suspend-keygen, the s2disk tool will generate a random key for the Blowfish encryption that will
                      be passed to the resume tool within the image header with the help of the RSA cipher. Consequently you only need to type a passphrase on resume."

To me it looks like there is no security issue with supporting restoring state from hibernate and secureboot.

"Delivered By Microsoft"?

Obviously I don't know what's going on here at all. I saw "delivered by Microsoft" and decided that I'm not interested in whatever it is. Should I bother to look into whatever this is about any further than that?

Re:So where does Win8 / Ubuntu dual boot stand now

[mjg59]

Wubi doesn't support UEFI. Once it does, it can use the same signed bootloader that Ubuntu currently uses.

Re:So where does Win8 / Ubuntu dual boot stand now

[corychristison]

One monitor with 8 virtual desktops has more screen real estate than 3 physical monitors for the cost of one monitor.

You can only focus on one screen at a time anyway, so what is the purpose of cocking your head over to look at something when you could simply switch virtual desktops?

I keep 8 available on my desktop workstations and 6 on my laptop.

Re:only

[VortexCortex]

True. Except that it can be used to bypass secure boot: 1. Boot secure OS. 2. Hack it, get root. 3. Write hibernate image to the drive containing your hacked kernel, which includes disabling of the code to delete the image after use. 4. Trigger reboot. 5. Pwnage.

OK, I get where you're coming from, but you fail to see that Secure Boot and TPM are completely pointless endeavors, and they're FULL of holes because the OSes are FULL of holes. If there's a mistake in the kernel code that allows a root level exploit to happen then it can simply be re-exploited each time you boot your system, see? No need to mess with the boot-up files. Even if your CPU is running encrypted instructions of signed programs once you find some data that triggers a buffer overflow, you can simply use return oriented programming to build the exploit. This means your exploit is built out of "op codes" of data that jump from one existing piece of signed and encrypted code to another -- You don't even need to know what the code is that's executing, you just log the changes in state the locations perform, and these become your (complex) operations with which to build the exploit. This already exists, it's not hypothetical. Return Oriented Programming is made out of existing code, even if it's signed and encrypted. SecureBoot is pointless so long as kernels have mistakes that allow unexpected stack smashing, or heap function pointer overwriting. There doesn't seem to be any way to prevent the mistakes, since your human race tends to make mistakes. SecurityTheaterBoot is a more apt. name for it.

Ah, but if the kernels could be written correctly -- with no mistakes -- then there would be no exploit vectors to exploit, and thus absolutely no reason for Secure Boot to exist. It's pointless from a security perspective, it serves primarily to make it harder for users to install alternate OSs. That's all. SecureBoot should be considered harmful and avoided if possible.

It'd take some very impressive skill to do that - it isn't something you could just make a script-kiddie toolbox for.

NO, that's just wrong. Do you even know what you're talking about? Yes, it takes more skill than a script-kiddie currently has, but it just takes one skilled hacker to crack the system and add the exploit to an exploit tool kit then the script-kiddie toolbox would contain the impressive exploit.

What? Exploits aren't impressive anymore once they've been automated? Gimme a break man. This happens all the time, it's HOW script kiddies even exist. Ugh, sorry, but your words reek of ignorance -- It's like you don't even comprehend what your words imply (by your logic script kiddies wouldn't exist).

The only way to prevent this is for the kernel to use TPM hardware to sign the boot image. As this isn't yet an option, it's debated if Secure Boot linux should also disable hibernation, in order to be strictly compliant, even though it introduces much user annoyance to provide protection against an attack that would be near-impossible for even the best hacker to pull off.

"Only" -- That word shouldn't be used lightly, because it tries hard to make you a fool, every time. What if we put Linux in the BIOS firmware. The PC turns on and is running Linux. Firmware can check its hash / fingerprint matches the install image on boot, like it does already, (even CMOS checksums for integrity), without requiring anyone to be in bed with a flawed PKI model run by Microsoft. If we simply give users an option in the BIOS boot menu that says: "Enable OS install on next boot", and it would flash part of the firmware with the /boot/ data. That would be TONS simpler than entering a long hex code that they're going to fuck up, and to bypass this unencrypted method of booting securely would require entering BIOS and changing a setting (or cracking BIOS security) -- Which is exactly the same as with Secure boot.

If the OS w

So what happens if a signing key gets lost

[blauregen]

Assuming the key used to sign my pretty new Ubuntu,Fedora,Windows,Whatever-(pre)-bootloader finds - through whatever means of social engineering, bribing or disgruntled janitor - his way to the notorious IT-entrepreneur Mal Wareauthor, who uses it to sign boot-rootkits.

As I understood it, a key used for such nefarious purposes would be blacklisted. Now, will my platform vendor update my key-DB remotely? Will the updated DB be in the next firmware-update? That would pretty much kill the Computer for every single installation of the signed OS, until someone tells the victim how to disable secure boot.

Oh, and every install-medium with a blacklisted signature would be useless too, but that's fine. I can always recycle useless optical discs as coasters, and make new ones from Images. I guess Microsoft would provide one in such a case too.

It looks to me, as if blacklisting a leaked key isn't something I would like to be responsible for. Did I overlook something?

Re:only

2. Hack it, get root.

Easy, assuming a Microsoft OS again...

I'd ask you to prove how easy it is, but I know that you are a full of shit troll.

Re:only

[Joce640k]

Try google...

Nonsense

Am I the only one who thinks the presence of a "some new bullshit protocol compliant" bootloader is more worthless than the new protocol?

The open source community should not be aiming to be compliant with anything like this.

Meh...

[closer2it]

I'll wait for the pre-pre-bootloader.

Re:only

Once you realise that SecureBoot isn't designed to protect you, or your OS, it all begins to make sense. SecureBoot has been created to kill off the likes of DAZ Loader. That's all there is too it.

Re:only

2. Hack it, get root.

Easy, assuming a Microsoft OS again...

Yeah you swallow that anti-MS koolaid. If it's so easy how about you tell us how to you can just hack windows 8 and get root? oh right you can't.